Tuesday 21 January 2014

Security, Patching and the IoT: Buy Slaves not Masters!

I'm actually really glad that people are using insecure and unpatchable IoT devices to send spam. I'll explain in a minute.

That news broke just a week after this rant by some quite angry and bitter-sounding person at ArsTechnica. Perhaps he wished he had bought a regularly-updated Nexus instead of a Samsung phone, but I digress..

For a balanced view of all this, turn to the expert: Bruce Schneier had this prescient article on Wired, a couple of days earlier than that rant, and this on the Guardian from May last year.

Bruce tells us that these devices are usually running old, unpatched, vulnerable software, and updates are unlikely to be made available - even less likely to be applied if they are.


Solutions

Like I said, I'm actually glad that this high-profile hacking report has come out right here at the start of 2014, just when the IoT is hotting up. If there were a few smaller attacks here and there, they may not have been noticed under all the hullabaloo. But this one even made it into the mainstream popular press.

Which will focus everyone, who wants to make the IoT work, on solutions.

One solution is to wrap the insecure and seldom updated manufacturers devices with, say, Raspberry Pi hubs or controllers that run Ubuntu and open source middleware, and to have a regular software update process running on that, just like you would on your laptop.

You manage security at the layer above, and work around proprietary access methods and known vulnerabilities and bugs from that level.

Security and privacy are of course big challenges for the IoT - so this is a great time to open up the discussion about open standards and open source.

Fear the silo and the walled garden, and the consumer device software that tries to take too much away from you!

Buy slaves, not masters.

No comments:

Post a Comment